Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Microsoft Defender Blocked from Loading Unsigned DLL

Detects Code Integrity (CI) engine blocking Microsoft Defender's processes (MpCmdRun and NisSrv) from loading unsigned DLLs which may be an attempt to sideload arbitrary DLL

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Bhabesh RajCreated Tue Aug 02Updated Wed Sep 280b0ea3cc-99c8-4730-9c53-45deee2a4c86windows
Log Source
Windowssecurity-mitigations
ProductWindows← raw: windows
Servicesecurity-mitigations← raw: security-mitigations
Detection Logic
Detection Logic1 selector
detection:
    selection:
        EventID:
            - 11
            - 12 # MDE: ExploitGuardNonMicrosoftSignedBlocked
        ProcessPath|endswith:
            - '\MpCmdRun.exe'
            - '\NisSrv.exe'
    condition: selection
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
sentinelone.com
MITRE ATT&CK
Rule Metadata
Rule ID
0b0ea3cc-99c8-4730-9c53-45deee2a4c86
Status
test
Level
high
Type
Detection
Created
Tue Aug 02
Modified
Wed Sep 28
Author
Bhabesh Raj
Path
rules/windows/builtin/security_mitigations/win_security_mitigations_defender_load_unsigned_dll.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.defense-evasionattack.t1574.001
View on GitHub